FireEye 4200

The debut offering from startup FireEye, the FireEye 4200 appliance is a 1U box that provides Network Access Control features to the organization; identifying malware-compromised machines based on the traffic they send/receive and then taking action--i.e., working with existing network infrastructure--to quarantine the machine from infecting other networked resources. The device is deployed alongside the network's existing network access switch layer; in either a monitor-only mode or an active-quarantine mode. Regardless of the mode, the device plugs into the network via an existing mirror port, SPAN, or network TAP device.

The FireEye 4200 requires no agents, configuration, or policy definitions and can, according to the vendor, be operational in minutes. Six 10/100/1000 ports facilitate the LAN connectivity; the vendor recommends deployment in environments with 1000 users per appliance and/or with sustained network traffic of 500 Mb/sec. A pair of USB ports are also included on the device and are "slated for future feature enhancements."

Key to the appliance's operation is the "FACT" (FireEye Analysis and Control Technology) Engine, utilized within the machine to identify and confirm the presence of infected machines on the network.

Specifically, the device first identifies suspicious network traffic through a combination of "ultra-sensitive" behavior anomaly detection heuristics (about a dozen different classes, according to the vendor) and passive network profiling. The anomaly detection is ultra sensitive because it needn't be concerned with reporting false-positives, which will be caught in the virtual machine analysis phase (more below). Passive profiling allows the machine to target the correct virtual machine for subsequent analysis, and/or weed out traffic that may be anomalous but does not in fact apply to the actual network environment being protected.

After identifying suspicious traffic, the appliance confirms that this traffic is indeed malicious by applying it (the suspicious traffic) to virtual "victim" machines and noting the results. The vendor summarizes the overall methodology with the phrase "if it doesn't infect, let it connect."

Quarantine of infected machines can be accomplished through either manual or automated means, via the FireEye's ability to communicate and work with the existing networking infrastructure (the FireEye can instruct other 3rd party devices on the network to implement the quarantine). Possible communication methods include direct interaction with enforcement points (Aruba, for example), issuing SMTP alerts or SNMP traps to network management tools, or HTTPS post of XML alerts. Possible quarantine actions include VLAN reassignment; ACL updates to restrict traffic by port, MAC, or IP; or targeted switch port blocking.

The FireEye 4200 is available now at $29,995 per unit. Contact the vendor for further information.

product submission by EITPlanet Staff

Latest category updates via our RSS feed